https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-make-Splunk-ES-override-urgency-changes/m-p/617109#M11118 <P>Hi all,</P> <P>I have a correlation search that passes alerts from another system into ES and I need to prevent the urgency of the alert from being changed by ES.</P> <P>Essentially I (think I) need ES to ignore the priority of any asset or identity associated with the incident so that the urgency doesn't change.</P> <P>Cany anyone offer any advice on how to do this?</P> <P>Thanks very much&nbsp; <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Edit: I should add, I didn't create the original correlation search and I don't have much experience in this area, hence the question. Thanks again!</P> Fri, 14 Oct 2022 14:52:27 GMT Dworsnop 2022-10-14T14:52:27Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-make-Splunk-ES-override-urgency-changes/m-p/617109#M11118 <P>Hi all,</P> <P>I have a correlation search that passes alerts from another system into ES and I need to prevent the urgency of the alert from being changed by ES.</P> <P>Essentially I (think I) need ES to ignore the priority of any asset or identity associated with the incident so that the urgency doesn't change.</P> <P>Cany anyone offer any advice on how to do this?</P> <P>Thanks very much&nbsp; <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Edit: I should add, I didn't create the original correlation search and I don't have much experience in this area, hence the question. Thanks again!</P> Fri, 14 Oct 2022 14:52:27 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-make-Splunk-ES-override-urgency-changes/m-p/617109#M11118 Dworsnop 2022-10-14T14:52:27Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-make-Splunk-ES-override-urgency-changes/m-p/617224#M11129 <P>This is covered in the ES docs.&nbsp;<A href="https://docs.splunk.com/Documentation/ES/7.0.2/User/Howurgencyisassigned" target="_blank">https://docs.splunk.com/Documentation/ES/7.0.2/User/Howurgencyisassigned</A></P> Sat, 15 Oct 2022 00:36:45 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-make-Splunk-ES-override-urgency-changes/m-p/617224#M11129 starcher 2022-10-15T00:36:45Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-make-Splunk-ES-override-urgency-changes/m-p/617303#M11132 <P>Thanks for the signposting&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/67425">@starcher</a>&nbsp;</P><P>Presumably I'm on the right lines here... "<SPAN>Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action.</SPAN>"</P><P>Therefore all I need to do is add " | eval severity="high" " to the end of my correlation search?</P> Mon, 17 Oct 2022 07:10:07 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-make-Splunk-ES-override-urgency-changes/m-p/617303#M11132 Dworsnop 2022-10-17T07:10:07Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-make-Splunk-ES-override-urgency-changes/m-p/617466#M11134 <P>That is correct.&nbsp;</P> Tue, 18 Oct 2022 01:52:35 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-make-Splunk-ES-override-urgency-changes/m-p/617466#M11134 starcher 2022-10-18T01:52:35Z